CVE-2026-26190

CVE-2026-26190 affects Milvus, an open-source vector database designed for generative AI applications. In versions prior to 2.5.27 and 2.6.10, the software exposes TCP port 9091 by default, enabling authentication bypasses. Specifically, the /expr debug endpoint relies on a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), which allows arbitrary expression evaluation. Additionally, the full REST API (/api/v1/*) is registered on the metrics/management port without any authentication, granting access to all business operations. The vulnerability is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By connecting to the exposed port 9091, they can bypass authentication on the /expr endpoint using the predictable token to execute arbitrary expressions. Access to the unauthenticated REST API enables full manipulation of vector database operations, including data read/write, deletion, and credential management, potentially leading to complete compromise of the database.

The Milvus security advisory (GHSA-7ppg-37fh-vcr6) and related GitHub releases confirm the issue is fixed in versions 2.5.27 and 2.6.10. A specific commit (92b74dd2e286006a83b4a5f07951027b32e718a9) addresses the authentication flaws by securing the debug endpoint and protecting the REST API endpoints.

Milvus's role in generative AI applications highlights its relevance to AI/ML infrastructures, where vector databases store embeddings for large language models and retrieval-augmented generation workflows. No public evidence of real-world exploitation is available as of the CVE publication on 2026-02-13.